Mysterious malware that reportedly attacked Iran's oil ministry in April shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.

The highly destructive malware known as Wiper has never been recovered, but its devastating effects are confirmed in a report published on Wednesday from researchers at Russia-based antivirus provider Kaspersky Lab. It struck as early as last December and used an advanced algorithm to permanently purge large portions of hard drives from computers it infected. Because it struck the same geographic region targeted by Stuxnet, researchers have spent months searching for evidence that links Wiper to the operation, which reportedly was sponsored by the US and Israeli militaries to disrupt Iran's nuclear program.

Researchers have also looked for links between Wiper and the malware titles dubbed Flame, Duqu, and Gauss, which more recently were found to be spawned by the same software developers as Stuxnet. Flame was discovered by Kaspersky researchers only after they were asked by the International Telecommunications Union to look into incidents involving Wiper. During the course of the investigation, they soon zeroed in on Flame. They're only now returning their attention to the original probe.

The Tilded Platform

The latest Kaspersky report reveals the first evidence that there may be a link. The first: temporary Windows files generated by Wiper begin with a tilde character (~), followed by the letter d (either capital or lower case), followed by other letters or numbers. This "tilded platform," as researchers have come to call the convention, is also found in both Stuxnet and Duqu. In their investigation, Kaspersky researchers focused on one file in particular, titled ~DEB93D.tmp, which was found on an "abnormally large number of machines" infected by Wiper. They noticed it started with "6F C8," which happen to be the same bytes present in encrypted format in the main module of a Duqu sample from November 2010.

The second sign linking Wiper to Stuxnet and Duqu was that the malware assigned a high priority to seeking out and destroying encrypted files with names ending in .PNF that were stored in the inf folder that is found on Windows machines. Both Stuxnet and Duqu kept their core contents stored in encrypted PNF files stored in that location.

"If the purpose of the attackers was to make sure the Wiper malware could never be discovered, it makes sense to first wipe the malware components, and only then to wipe other files in the system which could make it crash," the Kaspersky report explained.

The researchers are careful to note that they can't be certain Wiper is connected to Stuxnet and Duqu. But if it is, the link raises a major question: why would its creators unleash a highly destructive payload that would almost surely blow the cover of the covert Flame- and Duqu-related operations? One possibility is that the operators underestimated the attention Wiper would bring. If so, that was at least the second error to seriously undermine the operations. The first was a bug in Stuxnet that caused some infected machines to spiral into an endless reboot loop. The disruption is what ultimately led to the discovery of the infections.

But another possibility is that Wiper creators deliberately programmed it to permanently erase evidence that was so sensitive it was worth destroying even if it revealed the operations. If that's the case, it means researchers have yet to uncover crucial parts of this international whodunnit.

He went on to say the precise relationship may never be known because Wiper was so successful in ensuring no forensically valuable data survived on computers it infected. With no data to examine, no discovery of the binary files containing the underlying Wiper code, and no detections of an infection since April, it may be impossible to uncover the operation's true origin.

Schouwenberg said there is evidence to discount initial theories that Wiper was a component of Flame, the highly advanced espionage malware that targeted Iranian networks. An analysis of data collected by the cloud-based Kaspersky Security Network found no correlation between Flame-infected machines and the destructive behavior of Wiper, he said. Wiper also didn't fit in with Flame's plug-in architecture.

What is known is that Wiper used a wiping algorithm that was vastly different from that employed by Shamoon. One of the things that made Wiper so effective is that it left large portions of many files intact and only destroyed the crucial headers required to read them. By limiting which data was erased, Wiper was able to work much more quickly than it would have otherwise.

In addition to the PNF files linked to Stuxnet and Duqu, Kaspersky researchers have identified others whose origin remains unknown. That means it's likely there are other chapters in this state-sponsored-malware saga left to be told. Stay tuned.

Promoted Comments

One of the things that made Wiper so effective is that it left large portions of many files intact and only destroyed the crucial headers required to read them.

Oh, that's clever. Never really thought of that. I always assumed that even on a blind disk read that whole file had to be overwritten. Now that I think about it in a blind read you're picking up those headers with file content information and pulling actual data/information from downwind, so to speak. Destroy the headers and one wouldn't know how to recompile the remaining data left over. ....... I think.

I'm not an expert, but given that I've had to recover a lot of lost stuff of the past 30 years that I'm a fairly decent amateur data recovery dude. That's my take anyway, could be wrong.

No, you are right. Unless you intentionally start over, one block seeds the next. Change a byte, and you can brute force it because there are only 256 possible values. Do a 512byte block (a physical disk block) and you've got it computationally infeasible, in the smallest write operation possible. Even deleting a file takes more writes than that. However some OSs use 4k data blocks which can be written easily because they match the buffers. (I think windows and linux are both like this, if they've not upped it to 16k now)

18 Reader Comments

One of the things that made Wiper so effective is that it left large portions of many files intact and only destroyed the crucial headers required to read them.

Oh, that's clever. Never really thought of that. I always assumed that even on a blind disk read that whole file had to be overwritten. Now that I think about it in a blind read you're picking up those headers with file content information and pulling actual data/information from downwind, so to speak. Destroy the headers and one wouldn't know how to recompile the remaining data left over. ....... I think.

I'm not an expert, but given that I've had to recover a lot of lost stuff of the past 30 years that I'm a fairly decent amateur data recovery dude. That's my take anyway, could be wrong.

Wouldn't these attacks be considered an act of war? Why would the USA admit to them?

Any espionage is technically an act of war. They are rarely acted upon because everyone is spying on everyone else. Also, with such a huge disparity in power it's assumed that no one would attack us without everyone else behind them. Wiping the evidence helps ensure that won't happen.

Wouldn't these attacks be considered an act of war? Why would the USA admit to them?

Possibly hubris associated with being the biggest kid on the block? Or as a means to create paranoia within those targeted sectors. The latter could be useful if it slows down the associated processes because the Iranians feel forced to look at all new hardware/ software purchases and check them for embedded malware. Those are my guesses.

The apparent conflict between covert and overt actions could be explained if this is a modular piece of malware. Back in '04-05 I had a discussion with a handful of friends who were interested in computer security about where malware was headed. We came up with the idea of a modular cross platform piece of software with various levels of activity and consequently risk associated with them.

The base of any infection would be a rootkit module designed to sit tight and not attract any attention, simply remain undetected and provide a foothold. From there various packages for discovery(fingerprinting, heuristics, scanning), spreading(packages of 0 days to exploit vulnerabilities detected via discovery) & payloads(from information syphoning to industrial sabotage) ranging from the silent but limited to the loud but flexible & powerful. To help avoid detection it would be designed to hide from heuristic detection by operating in normal looking traffic(kudos here on the collision attack and spreading via windows updates), and it would be very targeted (a la Gauss's architecture fingerprinting & encrypted payload ) about where it decided to spread to limit its exposure to people knowledgeable enough to detect it.

The whole purpose of the package in the end is not to remain undetected, but to remain undetected long enough to get the information desired or control of the desired machines - then the main objective takes over*. If you make it out with the information you wanted or destroy the data or hardware intended, mission achieved, time to wipe yourself out to help obscure what exactly you were doing.* if you can still remain undetected and accomplish your mission, so much the better, but the goal is primarily the objective, not non-detection.

The reboot loop that caused people to become aware of the malware in the 1st place is the thing you really want to avoid (attracting the attention of people who may be able to figure out what's going on) - once you're in that boat, it's no longer about being silent. This leaves you with 3 options: 1) aggressively and quickly pursue your objective hoping you can achieve it before they can react or, 2)option: play dead, retreat to a well hidden rootkit with a delayed reinfection mechanism, 3)destroy all evidence you can of what's been going on 1 & 2 are fairly risky, 3 is the safe course.

With all of these, even if your malware is caught, there's an overriding concern about plausible deniability - you want communication between you and the targets obscured, and don't want to leave anything that specifically points back to you. For this reason the US's taking credit for stuxnet was a problem - the design overlaps between it and these other packages ties everything back to us, otherwise the whole thing was very deniable (while we had motive and means, we weren't the only ones).

The whole concept of malware like this scared me & those I discussed it with so we shut up about it until recently when stuxnet/flame/Gauss/wiper as well as some of the stuff from the Chinese APT's started showing up using pretty much every trick we thought of as well as a number we hadn't (though mostly focused on the same set of objectives we originally envisioned).

One of the things that made Wiper so effective is that it left large portions of many files intact and only destroyed the crucial headers required to read them.

Oh, that's clever. Never really thought of that. I always assumed that even on a blind disk read that whole file had to be overwritten. Now that I think about it in a blind read you're picking up those headers with file content information and pulling actual data/information from downwind, so to speak. Destroy the headers and one wouldn't know how to recompile the remaining data left over. ....... I think.

I'm not an expert, but given that I've had to recover a lot of lost stuff of the past 30 years that I'm a fairly decent amateur data recovery dude. That's my take anyway, could be wrong.

No, you are right. Unless you intentionally start over, one block seeds the next. Change a byte, and you can brute force it because there are only 256 possible values. Do a 512byte block (a physical disk block) and you've got it computationally infeasible, in the smallest write operation possible. Even deleting a file takes more writes than that. However some OSs use 4k data blocks which can be written easily because they match the buffers. (I think windows and linux are both like this, if they've not upped it to 16k now)

What's scary about all this cyber-warfare, is that it spills over into the non-combatant arenas, ordinary Internet users without a battle agenda are being affected. Personal computer systems have already become "collateral damage". The legal idiots doing website take-downs need to focus on protecting the communication, technology and science that the Internet enables, not on potential "copyright pirates".

I find it distressing that the US government is letting loose "digital weapons" that can be so easily decrypted and re-purposed for criminal activity aimed at US citizen's bank, credit and financial accounts. Regardless of the original intent or purpose, an underlying issue is that letting Stuxnet or Flame or what-have-you out is going to increase the technological level of the criminal class on the Internet. There already is a black market for digital attack tools. Should the US government or any of our allies be in the business of leaving the digital equivalent of live, unexploded mortar rounds laying around?

Postulator wrote:How is it Kaspersky is doing all the discovery work on these?

I think it's because the Russians and the Iran are business partners on a lot of oilfield and nuclear technology. Kaspersky has indicated more than once they have the Iranian government as a client for their Internet security products.

I'm confused about why it would need to be 'so effective' and be 'much more quickly'?Even if the files it was targeting were a few gigs the whole file could be over written and it's existence erased totally in a matter of mins... that's pretty fast.What possible security concern could justify the need for operation time of only a few seconds as opposed to a few mins but leave remains of files all over the target?

Postulator wrote:How is it Kaspersky is doing all the discovery work on these?

I think it's because the Russians and the Iran are business partners on a lot of oilfield and nuclear technology. Kaspersky has indicated more than once they have the Iranian government as a client for their Internet security products.

I find it worrying that a Russian security company is making all the announcements, because the paranoia in me says that the US companies are thinking "this is home-made: we'd better not say anything".

I'm confused about why it would need to be 'so effective' and be 'much more quickly'?Even if the files it was targeting were a few gigs the whole file could be over written and it's existence erased totally in a matter of mins... that's pretty fast.What possible security concern could justify the need for operation time of only a few seconds as opposed to a few mins but leave remains of files all over the target?

My guess, without knowing about this specific malware, is that the files are encrypted and they're overwriting the key used to decrypt and use them. Without that, the encrypted data is useless noise anyhow (barring quantum computers coming out next week).